What does EU Data Protection Regulation Mean for Digital Marketing?

What does EU Data Protection Regulation Mean for Digital Marketing?

It has been called “the biggest change to data protection law for a generation” and organizations need to be ready by the 25th of May 2018[1]. The new General Data Protection Regulation (GDPR) agreed by EU in early December will give both big and small companies serious headaches as they will have to adjust their current data handling procedures so that they are compliant.

It is even more so when it comes to marketing departments. Currently, the way consent is collected and data are processed in digital and direct marketing activities is a grey area. In some cases, personal data is collected and processed without explicit consent; data privacy and security requirements are not incorporated in the development of products or services – Privacy by Design being a new principle introduced by the GDPR -; sometimes data is used through third-party marketing platform with no clear consent given by the individuals during data collection.

The Data Protection Commissioner published an introductory document for organisations to help them prepare for the GDPR. Besides the need to be prepared on a business level – see a step-by-step plan here – marketing departments also need to start answering the following questions about personal data being hold by the organizations:

Why are you holding it?

How did you obtain it?

Why was it originally gathered?

How long will you retain it?

How secure is it, both in terms of encryption and accessibility?

Do you ever share it with third parties and on what basis might you do so?

At present only a few businesses can answer these questions. According to a recent survey “Organisational Readiness for the European Union General Data Protection Regulation (GDPR)”, only 27% of respondents “have an up to date record/register/inventory of the personal data they hold, including the purposes for which data is used and other information as required by the GDPR” and only 24% of the respondents felt they were fully compliant or near to full compliance.

So it is really important that businesses and marketing people start to plan, implement and assess compliance strategies to meet the obligations contained in the GDPR. There is substantial work to be done and legal counselors should be consulted. The GDPR is a far-reaching regulation and for businesses of a certain size it could be a good idea to appoint a dedicated Data Protection Officer[2]. Penalties are high, with fines that may be around €20 million or 4% of global annual turnover (the greater figure).

The following are only some of the areas in the GDPR that will affect marketing activities.

Consent is Key

Consent plays a very big part in the new regulation and it is likely to change many of the current procedures being used to collect it: “consent should be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication”[3]

“Affirmative action” and “unambiguous“mean that opt-out models (pre-ticked boxes) will not be allowed anymore. It also means that consent requires a positive indication of agreement: it cannot be part of the terms and conditions of a contract or a condition for using a service[4]. Also, consent will have to be “specific”: this will give marketers a hard time trying to figure how to maintain a positive customer experience by providing non-intrusive “granular choices”.

Charities for example will need to review the form of consent previously given in their database and make sure that this complies with the new regulation, if they want to keep sending valuable emails or text messages to their supporters. Similarly, pharma companies will need to review consent given for webinars, for example, in order to use the information for other communication or marketing purposes.

Moreover, under the GDPR, individuals have the right to withdraw consent and they need to be aware of their right.

At present, only 22% of the business surveyed currently gather separate consent for each processing activity.

Legitimate Interest

This is probably a grey area of the regulation and marketers will need more clarity if they are to be compliant by the deadline[5]. Consent is not the only legal justification for a company to process personal data. The GDPR allows legitimate interest as a “legal basis for processing”: “legitimate interest could exist for example when there is a relevant and appropriate relationship between the data subject and the controller in situations such as the data subject being a client or in the service of the controller”.

In a paper, Slaughter and May analyse instances where “legitimate interest” applies to some processing forms, such as market research or direct marketing activities.

The Right to be Forgotten

The right to erasure, also known as the “right to be forgotten”, requires companies to provide individuals with “mechanisms to request and if applicable obtain, free of charge, in particular access to data, rectification, erasure and to exercise the right to object”. Businesses or organizations are required to facilitate access to these mechanisms, and to respond quickly to requests to view, amend or destroy data.

Principle of Transparency

The GDPR requires that it should “be transparent for the individuals that personal data concerning them are collected, used, consulted or otherwise processed”, that the information about how data are processed should be “easily accessible and easy to understand” and that it should be provided in a “clear and plain language”. Article 14 of the GDPR lists the information that must be provided where the data are collected from the data subject.

Pseudonymization

A particular mention should be given to the process of pseudonymisation, which is defined by the GDPR as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information”. This, according to the GDPR “can reduce the risks for the data subjects concerned and help controllers and processors meet their data protection obligations”. Pseudonymisation is incentivised in order to allow companies to process data beyond their original collection purposes, for example for statistical, scientific or research purposes. This can be done by holding and processing separately data belonging to an individual so that these are no longer attributable to that individual.

What’s Next for Marketers?

The new legislation will not only affect the way data is collected and processed, but also digital marketing strategies implemented to market to users – these include techniques such as re-marketing and re-targeting techniques, behavioural targeting, the use of email lists in advertising platforms like Facebook, Google, LinkedIn and so on.

Marketers will need to make sure that consent notices comply with the GDPR, that is affirmative, informed, specific and unambiguous; that data storage and processing is transparent; that data are adequate, accurate and retained only for as long as necessary; that integrity and confidentiality of data is maintained throughout data collection and processing processes[6].

However, this is not where marketers’ challenges end. According to a recent study, 90 percent of consumers have privacy concerns, but they also enjoy seeing personalised and relevant services[7], which normally requires data processing. Most likely, complying with the new strict regulation will make business more trustworthy in the eyes of consumers, and maybe there’s an opportunity there to see users more willingly to share their data with companies in order to get custom information and services in return.

It will be interesting to see how marketers will use their ingenuity and creativity to deliver a personalised user experience and at the same time comply with the GDPR.